From the CTO’s corner: Simon Gardner, Oper8 Global Group
You’d have to be living under a rock if you didn’t know that cybersecurity threats have ramped up this year, with a seemingly endless number of attacks and a proliferation of tools, technologies and methods available to malicious actors around the globe.
The good news is that thanks to widespread media reporting, we’re also a lot more aware of the risks out there. A few years ago, if you asked the average person on the street about phishing attacks, the answer would have been a blank stare; now, more than likely they will tell you all about it, and probably explain vishing to you as well.
According to the leading cybersecurity predictions, the threat landscape is only getting worse, with 2026 likely to see the accelerating influence of AI, the growing maturity of tactics like ransomware and supply chain attacks, and the expectation that quantum computing will soon break current encryption standards.
So, what’s my point?
With the current media focus and attention on remote or digitally based threats and risks, we can’t be distracted and take our eye off physical security – especially in the data centre – because cyber and physical security are intrinsically linked in terms of both threat and response.
In the mass transformation of businesses into digital enterprises, our physical computing facilities have never been more critical to our ongoing operations and viability. Take out a data centre or server room, and parts (if not all) of your business stop running. That could lead to anything from loss of reputation or revenue to loss of lives.
Worryingly, the UK’s National Protection Security Authority (NPSA) believes that a lot of data centres are lacking sufficient physical security. In security planning guidance it published last month, the NPSA outlines that physical security needs to be factored in as one of the five core elements of holistic security planning.
According to the NPSA, technical components to physical security relate to access control; visual surveillance systems; perimeter security; and intruder detection systems. I’ll take you through each in turn and their importance in the overall make-up of your data centre facilities.
Access control
The NPSA defines access control systems as the first point of challenge, representing the boundaries between private and public areas. However, it’s a little more nuanced than that. If we are referring to stand-alone data centre facilities, that private/public separation is applicable, but you also need to consider server rooms or a micro or modular data centre located in an office or inside a larger secured facility that might not need the same level of control.
The granularity of your door access systems, and also the Security Rating (SR) of the physical doors or access points themselves – from SR1 (requiring minimal tools to break in) all the way up to SR8 – will depend on the data centre’s location and how exposed it is to external access or harm, what you are trying to protect, and your appetite for risk versus the cost of implementing additional security measures.
You will also need robust monitoring tools so that if your access controls are breached, you know about it immediately, and can take steps to respond and minimise or mitigate any damage.
Visual surveillance systems
Your data centre location, risk appetite and the value of what you are trying to protect are applicable to all physical security measures, including visual surveillance systems, or CCTV to use an outdated acronym for convenience!
CCTV is an important deterrent for would-be attackers, but it also offers the first evidence of an attempted breach of a facility, provided the video feeds are being monitored. With the advent of AI-enabled computer vision, the capability that you have to monitor video is changing dramatically. These systems are automatically detecting and alerting security personnel to potential threats or suspicious behaviour, and even being integrated with infrared, thermal, X-ray and CT imaging systems to extend that capability even further.
Perimeter security
CCTV forms part of a broader array of technical perimeter security measures that could also include motion detection systems, alarms and lighting. The goal here is to increase the difficulty and time taken for a would-be attacker to breach the facility, giving more time for you to respond and prevent it.
Perimeter security sensors are also essential for data centre operators to respond rapidly to non-malicious threats or harm, such as a vehicle, or a tree or other debris from a storm, hitting and damaging the facility, or its electricity or networking connections.
Intruder detection systems
These sensors or detectors could form additional measures for the perimeter; or for more sensitive or secure parts within the facility. For example, there might be certain racks or rooms that have more stringent controls based on any number of parameters.
This technology includes switches on doors and windows, vibration detectors in halls or doorways, or volumetric detectors in rooms. Again, this technology could also kick in to alert operators to other forms of potential damage, like earthquakes, which can have a devastating impact on data centres and surrounding infrastructure.
Operational considerations
The wash up to all of this? Physical security can’t be underestimated, but it also shouldn’t be over-engineered. The requirements of a remote mine site in Kenya compared to an office block in London are very different.
It all comes down to designing and implementing what’s right for each scenario and set of operational requirements. It’s what the NPSA refers to as a “risk-based layered approach to security” and using the “3Ds philosophy” – to “Deter, Detect and Delay” the attackers or threat.
Let me know if you’d like to “get physical” and chat further.